#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;

		iif lo accept
		
		ct state invalid drop
		ct state { established, related } accept

		# HTTP & Syncthing Relay
		tcp dport { http, https, 5432, 22000 } limit rate 5/second accept
		udp dport 22000 limit rate 5/second accept

		# SSH
		tcp dport 995 limit rate 15/minute accept

		# TURN
		tcp dport { 3478, 5349 } limit rate 5/second accept
		udp dport { 3478, 5349, 49152-49652 } limit rate 5/second accept

		# Allow ICMP
		meta l4proto icmp limit rate 1/second accept
		meta l4proto ipv6-icmp limit rate 1/second accept
	}

	chain forward {
		type filter hook forward priority 0; policy accept;
	}
	
	chain output {
		type filter hook output priority 0; policy accept;
	}
}